Security researchers at Palo Alto Networks disclosed that an old ransomware family – Bucbi ransomware – has been just revived after 2 years of silence. The Bucbi threat was discovered in 2014, and it hasn’t been registered active since then. Not only it has been revived but it has also been updated. Above, you see the original ransom note used by Bucbi in 2014’s attacks.
|Short Description||Bucbi ransomware was first spotted in 2014, but has been just revived.|
|Symptoms||The victim’s files are inaccessible and encrypted.|
|Distribution Method||Via brute-forcing RDP accounts.|
|Detection Tool|| See If Your System Has Been Affected by Bucbi Ransomware |
Malware Removal Tool
|User Experience||Join our forum to find a solution for Bucbi Ransomware.|
Bucbi Ransomware: Current Distribution
When it was first reported, Bucbi was spread via HTTP downloads and exploit kits. Now a new distribution technique has been adopted by its authors – delivery via brute-forcing RDP accounts on Internet-facing Windows servers. However, Bucbi’s code is also modified – it no longer needs Internet connection to propagate.
Learn More about Brute Force Attacks
Who Is Behind Bucbi Ransomware?
According to the ransom notes dropped by Bucbi, it’s operated by a far-right Ukrainian nationalist political party called Ukrainian Right Sector. According to Wikipedia, Right Sector has originated in 2014 as a paramilitary confederation at the Euromaidan revolt in Kiev. The group which opposes Russia became a political party on 22 March 2014. In 2014, Right Sector claimed to have approximately 10,000 members.
As for Bucbi’s recent attacks, it’s still not known whether the information about Right Sector provided in the ransom notes is accurate or falsified. However, multiple Russian identifiers have been discovered in the latest infections, which contradict to the ransomware authors’ claims of Ukrainian origin.
Bucbi Ransomware: Technical Overview
As already mentioned, Bucbi’s latest distribution depends on brute-forcing techniques and open RDP (Remote Desktop Protocol) ports. Palo Alto researchers believe that the threat actors may have used a tool named RDP Brute (Coded by z668). This is a list of the IP addresses associated with Bucbi’s latest attacks at the end of March 2016:
Researchers also believe that the attackers first targeted PoS devices but later changed their tactics to monetize their malicious attempts. Palo Alto researchers have shared some of the usernames specific to PoS systems:
Some of the usernames specific to PoS systems include strings such as BPOS, FuturePoS, KahalaPoS, POS, SALES, Staff, and HelpAssistant.
More technical details of the attack find here: Palo Alto Networks Research Center
In conclusion, the latest variant of Bucbi ransomware implies to have been employed by Right Sector. If this claim is truthful, this would mean that the Ukranian far-right party has entered cybercrime, possibly to fund their cause, Palo Alto researchers write. However:
Attribution of this particular attack is difficult as there simply isn’t enough evidence to conclusively determine who is behind it. Various conflicting evidence make it impossible to say for sure. However, what is clear is that attackers are shifting tactics in how ransomware is deployed, and ensuring their malware is constantly being updated to deter defenders.
Bucbi Ransomware Removal & Decryption
Bucbi’s cryptography is still being investigated. More details will be available soon. It’s known that after the encryption process is finished, a README.txt will be placed on the user’s desktop:
The BitCoin address mentioned in the above screenshot has a single payment of 0.00896 BTC at the time of writing. This payment, being so low in value, was likely a test transaction used. The email address of ‘[email protected]’ has ties with the Ukrainian Right Sector in a number of external publications […].
If you have been infected by Bucbi ransomware, consider following the steps below. However, since the threat is still being analyzed, there is no guarantee that encrypted files will be decrypted via any alternative methods.